CVE-2026-20895

Name of the Vulnerable Software and Affected Versions WebSocket backend (affected versions not specified)

Description The backend utilizes charging station identifiers to uniquely associate sessions but permits multiple endpoints to connect using the same session identifier. This results in predictable session identifiers, enabling session hijacking or shadowing. A recent connection can displace a legitimate charging station and receive backend commands intended for it. This may allow unauthorized authentication or a denial-of-service condition by overwhelming the backend with session requests. The API endpoints are susceptible to this issue due to the handling of session identifiers. The vulnerability involves the manipulation of session identifiers, potentially affecting the session id variable.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.